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The Problem: An EXE without I AT 



Some malware employ protections that 
redirect the IAT, some completely destroy 
it 

When ImpREC falls short, QuietRIATT to 
the rescue! 

Lengthy manual labor now takes seconds 

Uses Detours to record DLL calls and 
assist in rebuilding the IAT 



RIVERSIDE RESEARCH INSTITUTE 



The Problem: An EXE without IAT 


*■ 


Normal IAT 




Redirected IAT - 
Jump Table 




GetCurrentProcessId 




JMPxxxxxxxx 


' QueryPerformanceCounter 
1 


GetCurrentThreadld 


JMPxxxxxxxx 


1^^^ ^^^B GetTickCount 


GetTickCount 


JMPxxxxxxxx 


L^\^ 


QueryPerformanceCounter 


JMPxxxxxxxx 


XyS \ I GetCurrentThreadld 


\- M IsDebuggerPresent 


IsDebuggerPresent 


JMPxxxxxxxx 


\ 






ifl GetCurrentProcessId 








Redirected IAT - 
Munge 


I 








???? 




???? 


???? 


???? 


???? 
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The Problem: An EXE without I AT 



— 



Removing Malware 

Wrapper-Style 

Protections 




Change EP to 
OEP 



Use ImpREC to 
fixlAT 




No 



Yes 



You're done! 



/Time consuming 
Error prone 

Subject to anti-debugging 



Fix IAT by hand 




RIVERSIDE RESEARCH INSTITUTE 



The Problem: An EXE without I AT 



— 



Removing Malware 

Wrapper-Style 

Protections 




Change EP to 
OEP 



Use ImpREC to 
fixlAT 




Allows automation of more cases 
Saves time 



/ 



No 



Use QuietRIATT 
to fix IAT 



Yes 



You're done! 






Fix IAT 


h\/ hanrl . 








► 


No 






No 




' Did it work? >j 



Yes 
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How QuietRIATT Works 



1 ) Hook DLL calls using modified MS Detours 

2) Detours 'traceapi' generates a log file of DLL 

calls 

3) QuietRIATT annotates the IDAPro database 

4) QuietRIATT generates a tree file with IAT info 

5) Import tree file into ImpREC 
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Why Detours 



Wanted something like Linux 'strace' 

- Traces system calls 

Detours - 'traceapi' 

- Similar to strace but traces DLL calls 

- Outputs parameters and return values 

- Helps see 'real' DLL calls from kemel32, 
user32, etc 

• This helps us when rebuilding IAT 
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Detours 



Process 
Space 





DLL 



Hooked 
DLL func 



Trampoline 



_ Injected "JMP HookedDLL func" 

Disassembled code gets stored in Trampoline 



Preprocessing/Postprocessing 



Optional - call real DLL routine 



Disassembled code executed and jmp back 
"* To targeted DLL function 
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Detours Macro 






_win32.cpp is found in TRACEAPI found in detours under samples 



voi 
{ 


d stdcall Mine 


_Sleep (DWORD dwMi 


lliseconds) 








PRINT_CALLER;4^ 


f LlhLLnter ("Sleep 


(Ox%X)\n", 


dwHi 


11 


iseconds) ; 




_try { 














Real Sleep ( 


dwMilliseconds) ; 












} _finally { 

PrintExit ( 


"Sleep () ->\n") 


f 










}; 












} 















Inject macro 



Macro Code: 



^define GET CALLER ADDR 


\ 






{ 


\ 






asm ttiov eax, ebp 


\ 






asm add eax, 4 


\ 






asm mov pStack, eax 

} 


\ 






^define PRINT CALLER \ 








{ \ 








int *pStack =0; \ 








GET CALLER ADDR \ 








_Print ["[[[ %X ] ]]\n" 

} 


r 


fr pStack ) 


; \ 
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Detours in action 






Kernel32 Sleep API call is rerouted to trampoline space 
Return address is pushed on the stack 









001I017F3 


push 


ecx 


004017F4 


push 


64h 


00U017F6 


call 


ds:Sleep 


004017FC 


push 


offset aMain 


00401801 


call 


dsiprintf 


00401807 


add 


esp, 4 


00401 8 OA 


call 


fool 


00401 8 OF 


mou 


eax, OuBCDh 


00401814 


nush 


ORFFFh 





vuyu^44u 


yu 








7C802441 


90 


nop 




O 


7C30244Z 


E9 E9 53 36 93 


jmp 


^^ ^ (100S7830h) 




7CS0Z447 


6A 00 


push 







7C302449 


FF 75 03 


push 


dword ptr [ebp+3] 




7C30244C 


E3 4E FF FF FF 


call 


7CS0Z39C 




7C302451 


5D 


pop 


ebp 



stdcall Mine Sleep (DWORD dwMilliseconds) 



void 
{ 

10067830 push 

1006783 1 niov 

10067833 push 

10067835 push 

1006783A push 

1006733F niov 

10067845 push 

10067846 niov 
1006734D add 

10067850 push 

10067851 push 

10067852 push 
PRINT_CALLER; 

10067853 niov 
1006785A niov 
1006785C add 
1006735F niov 
10067862 niov 
10067865 niov 
10067867 push 



ebp 

ebp, esp 
OFFFFFFFFh 
101332B0h 

offset _except_handler3^>iQ096970h) 
eax,duord ptr f s : [OOOOOOOOh] 
eax 

dword ptr fs:[0],esp 
esp,0FFFFFFF4h 
ebx 
esi 
edi 
_Print Enter ("Sleep (Ox%X) \n", dwHilliseconds) ; 
dword ptr [pStack],0 

eax, ebp ^ 

eax, 4 



Prolog stuff 

Note: SP is assigned to BP to set stack frame 

Stack - Grows High to Low 



EBP- 



Local variables 



ebp 



Return Address 



0x64 



dword ptr [pStack],eax 
eax,duord ptr [pStack] 
ecx,duord ptr [eax] 
ecx 



Since BP as saved due to saving stack frame 
We can move down 4 bytes to ref 
the return address 



Running Traceapi 



T 



• syelogd.exe - system event logging. Use this utility to set up a pipe 

• withdll.exe - load the detour traceapi.dll and detoured.dll into process sleep5.exe all done at runtime 



c^ Command Prompt (2) | 



^:\Documents and Sett ings\jraber.RED-UNCLflSS\Desktop\Too Is \De tours \bin>s tart syelogd.exe dm.txt 

i:\Documents and Sett in<jfs\jraber.RED-UNCLflSS\Desktop\Too Is \De tours \bin>withdll /d:traceapi.dll sleep5.exe 
iithdll.exe: Starting: sleep5.exe J 
.iithdll.exe: uith C:\Documents and Settings\jraber.RED-UNCLflSS\Desktop\Tools\Detours\bin\traceapi.dll' 

-iithdll.exe: marked by *C:\Documents and SettingsSjraber .RED-UNCLflSS\Desktop\Tools^Detours\bin\detoured.dll , 

traceapi.dll: Starting, 
formal flPP: sleep5.exe: Starting. 
Normal APP: sleep5.exe: Done sleeping. 

J:\Documents and Settings\jraber.RED-UNCLflSS\Desktop\Tools\Detours\bin> 



M 
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Detours - User Process 






Return Address 



DLL call w/ Params 



Return Value 



traceapi : 


001 


[[[403333]]! 








traceapi : 


001 


GetSystertXimeAsFileTime (12fffc4J 








traceapi : 


001 


GetSysteraTiraeAsFileTime ( ) -> 








traceapi : 


001 


[[[403S8F]]] 








traceapi : 


001 


GetCtirrentFrocessId ( J 








traceapi : 


001 


GetCurrentFrocessIdf} -> 160 








traceapi: 


001 


[[[403897]]] 








traceapi : 


001 


GetCurrentThreadld ( } 








traceapi : 


001 


GetCurrentThreadld (J -> 17c4 








traceapi : 


001 


[ [ [403S9F]]] 








traceapi : 


001 


GetTickCaunt () 








*"£w^^api : 


001 


GetTickCount () -> b639170 








traceapi : 




«£ [ [403SAB]]] 








traceapi : 


001 


T^jLeryPerf oriTi.arAce'_-o ^nter ( _^f f dc) 
^JueryFerf ormanceCounter ( ) -> 1 












ji^e-tr^pTT 


001 


[[[401197]]] 






traceapi : 
traceapi : 


001 
001 


GetVersionExA (165358} 






[[[7C812BB2]]] 






traceapi : 


001 


GetVersianExW(12felc) 






traceapi : 


001 


r-Pt.Vpr^innFvWjl --> 1 






traceapi: 


001 


GetVersionExAf)- -> 1 






traceapi : 


001 


[[[403305]]] 






traceapi : 


001 


HeapCreate (DWORD = 0, SIZE_T = 1000, SIZE_T 




traceapi : 


001 


I-ieapCreate () -> 3a0000 









DLL calls made 
from user process 



DLL calls made 
from within DLLs 
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Special Cases 



In case 'traceapi' attach fails, don't worry, the function is too small 
to trampoline. 



£U'JJUz_L_L±4Jb±-dd-Jl Jbz bU . bU : traceap: 

20090211143519891 352 50.60: traceapi: 

20090211143519901 352 50.50: traceapi: 

20090211143519901 352 50.60: traceapi: 

20090211143519901 352 50.60: traceapi: 

20090211143519901 352 50.60: traceapi: 

20090211143519911 352 50.50: traceapi: 

20090211143519911 352 50.60: traceapi: 

20090211143519911 352 50.60: traceapi: 

20090211143519911 352 50.60: traceapi: 

20090211143519921 352 50.60: traceapi: 

20090211143519921 352 50.60: traceapi: 

20090211143519921 352 50.60: traceapi: 



TTt 

### Env= 00165c88 [3d3a3a3d 005c3a3a] 
Attach failed: " CoFreeAllLibraries ■ : error 9 

77503507: 8b cO 

77503509: c3 + 

7750350A: 90 
Attach failed: £ GetCurrentFrocess ■ : error 9 

7C80DE85: S3 c8 ff 

7C80DE88: c3 

7C80DE89: 90 
001 [[[403883]]] 

001 GetSystenffimeAsFileTime (12ffb4) 
001 GetSystemTimeABFileTime () -> 



RET 
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QuietRIATT 



Quiet = Stealthy 
R = Riverside 
I = Import 
A = Address 
T = Table 
T = Tool 
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QuietRIATT Steps 



Preparation: 

- Make DLL Function List 

Plug-In: 

- Read Detours output file 

- Find return address 

- Match 'real' call 

- Annotate IDA Pro 

- Create input file to ImpREC 

- Rebuild it 
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DLL Function List 



In order for QuietRIATT to know which DLL each function comes from, it is 
necessary to disassemble each DLL beforehand and make a list of the 
functions. This list is read into QuietRIATT during initialization. IDA 
makes this easy. 

kernel32.dll export list from IDA disassembly 



Name 


| Address 


I Ordinal 


P ActivateActCtx 


7C8QAG44 


1 


|Q) AddAtomA 


7C8354ED 


2 


|Q) AddAtomW 


7C832GC1 


3 


fQ] AddConsoleAliasA 


7C870CCF 


4 


|0l AddConsoleAliasW 


7C870C91 


5 


p AddLocalAlternateCormputerNameA 


7C858F2G 


G 


p AddLocalAlternateCormputerNameW 


7C858EQA 


7 


SUl AddRefAcOx 


7C82BF01 


8 


§=1 AddVectoredExceplionHandler 


7C808FG3 


9 


p AllocConsole 


7C871321 


10 


p AllocateUserPhysicalPages 


7C85E712 


11 


§=) AreFileApisANGI 


7C83594F 


12 


p AssignProcessToJobObject 


7C82E44A 


13 


p AttachConsole 


7C871509 


14 


|0l BackupRead 


7C85GDDF 


15 



This is machine specific, so it has to be done on the same machine where 
the target program is run. 
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Create Function List 



Disassemble DLLs used in target application (e.g. 
kemel32, user32, ...) 

Copy and paste export list into a text editor 



QuietRIATT liblist.txt 



Activate Ac tCtx 


7C80A644 


1 


kernel32 


.dll 


AddAtoniA 


7CS354ED 


2 


kernel32 


.dll 


AddAtoniW 


7C3326C1 


3 


kernel32 


.dll 


AddConsoleAliasA 


7C370CBF 


4 


kernel32 


.dll 


AddConsoleAliasW 


7C870C81 


5 


kernel32 


.dll 


AddLocalAlternateConiputeirNameA 


7C858F26 


6 


kernel32 


.dll 


AddLocalAlternateConiputerNameW 


7CS5SE0A 


7 


kernel32 


.dll 


AddRef ActCtx 


7C32BF01 


8 


kernel32 


.dll 


AddVectoredExcept ionHandler 


7CS0SF63 


9 


kernel32 


.dll 


AllocConsole 


7CS71311 


10 


kernel32 


.dll 


AllocateUseuPhysicalPages 


7C35E712 


11 


kernel32 


.dll 


AreFileApisANSI 


7C33594F 


12 


kernel32 


.dll 



Add DLL name to 
end (next to ordinal) 
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QuietRIATT and the 
6 Degrees of Abe Simpson 



Detours output file: 



001 


[[[ 4016BF] ]]] 




001 


GetSysteniTinieAsFileTinie 


(13ffb4) 


001 


GetSystemTimeAsFileTime 


o -> 


001 


[[[ 4016CE ]]] 




001 


GetCuruentProcessId () 




001 


GetCurrentProcessId () - 


-> eSS 




-text:TMW j II16B8 
-text:0WW6B9 
-text:004016BF 

-text:00401<5 



xor 



.rdata : 00402028 dword_402028 
.rdata :0O4O202C dword_40202C 
.rdata: 00402030 dword 40203I 
.rdata: 00402034 
.rdata: 00402038 dword_b02038 
.rdata: 004020^ dword 40203C 




eax 

ds: dword 402 03 8 
esi, [ebp+uar_4] 
esi, [ebp+uar_8] 



OCCCCCCCCh 

OCCCCCCCCh 
align 8 
dd OCCCCCCCCh 
dd OCCCCCCCCh 



.rdata: 00402030 ; uoid stdcall GetSystemTimeAsFileTime(LPFILETIME lpSystemTimeAsFileTime) 

.rdata: 00402030 GetSystemTimeAsFileTime dd OCCCCCCCCh ; DATA KREF: security_init_cookie+35tr 

.rdata: 00402034 \ align 8 



ImpREC tree file: 








1 0000202C 


kernel32 .dll 


02 IE 


^InterlockedEx change 
i}e t S y s t eniT ime As F i 1 e T iine 


17 1 00002030 


kei:nel32 .dll 


01BE 
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Findin 


§ 


Return Address - 5 


Byte Calls 


p» 














-text:004016B8 
.text :004O16B9 
-text:0O4O16BF 
-text:004016C2 




push 
call 
mou 
xor 


eax 

ds:duord_40203 
esi, [ebp+uar_4] 
esi, [ebp+uar_8] 


























call addrr = decode puev insn(ret addr) ; 


















-text:OO4016B8 
-text:0O4O16B9 
_text:004016BF 
_text:004016C2 




push 
call 
mou 
xor 


eax 

ds:duord_40203 
esi, [ebp+uar_4] 
esi, [ebp+uar_8] 






















ua anaO(call addr) ; 

set name ( cmd. Operands [ ] . addr: , func name); 














.text:0O4O16B8 
_text:004016B9 
-text :004016BF 
_text:004016C2 




push 
call 
mou 
xor 


eax 




ds iGetSystemTimeflsFileTime 


esi, [ebp+uar_4] 
esi, [ebp+uar_8] 
















DE RESEARCH 


INSTITUTE 


ZR,|lR, RIVERSI 















Finding Return Address - 2 Byte Calls 



001 [ [ [ 40100E ] ] ] 

001 printf (hello would!; 



_text: 00401 001 


mou 


esi, ds:di>Jord 40209C 




.text: 00401 007 


push 


offset aHellol-Jorld ; 


"hello world?\n" 


_text: OO401 00C 


call 


esi 




_text: 00401 00E 


add 


esp, 8 





// Check previous instructions until finding one with our reg 


in destination 


for 
{ 


( int i=0; i<3 2 ; i++) 






prev inst = decode prev insn(prev inst); 




if 


(prev inst == BADADDR) 
break; 








ua 


ana0(prev inst); 








if 


(cind.itype == NN mov £& 










cind. Operands [ ].reg == 


callReg 


&& 




{ 


cind. Operands [ ].type == 


= o mem) 






set name ( cind . Operands [ : 


L] . addr , 


func name) ; 


} 


} 


break; 
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Special cases 



F» 



Unanalyzed Code 
I AT Redirection 
Jump Tables 
Addr Not Found 
Unknown Calls 
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Special Cases - Unanalyzed Code 



Return Address in Unanalyzed Code 



Detours Output 



001 PeekMessageA (,,,,) -> 1 
001 [[[ 4544F5 ]]] 
001 GetMesskgeA (l3f dL5c f 0, 0, 0)| 
001 [ [ [ 42DA28 ]]] 



IDA Disassembly 



.text:004544A7 
_text: 004544 A7 
_text: 004544 A8 
.text: 00454^18 
.text:004544A8 
.text:004544A8 
-text: 00454408 
.text:OO45450C 
.text:OO45450C 



duord 4544A8 



dd 8BEC4D8Bh, 1850FF01h, 6A006Ah, 7D250E8h, OCCCCCCOOh 

dd OCCCCCCCCh, BA164h, OFF6A0O00h f 4E8DDE68h, 89645O00h 

dd 25h f 1CEC830flh f 8BF98B57h, 1450FFO7h, 1A74C084h, 6A006Ah 

dd 4C8D006Ah, 0FF511B24h f 4F338415h, 74CB850Oh, BFFF88305h 

dd OC0321275h f 244C8B5Fh f 0D89641Ch, 



add 



esp, 28h 



IDA SDK Functions 



do_unknown( 0x4544F5 f true) ; 
ua code(0x4544F5) ; 
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Special Cases - Unanalyzed Code 



.text:00i*5i*iiEF 


db 


OFFh 




.text:0O45MiF0 


db 


15h 




.text:O0i*5i*iiF1 


db 


8 4h 


; a 


.text:O0i*5i*iiF2 


db 


33h 


; 3 


-text:0O454iiF3 


db 


4Fh 


; o 


-text:0O4544F4 


db 







.text:O0i*5i*iiF5 ; 














.text:O0i*5i*iiF5 


tes 


t 


eax, eax 


-text:O04544F7 


U 




short near ptr unk 4544FE 


.text:0O45MiF9 


cmp 




eax, OFFFFFFFFh 



.text:O0ii5iiiiEF call 

.text:O0ii5iiiiF5 test 

.text:O04544F7 jz 

■text:004544F9 cup 



ds:dword_4F3384 
eax, eax 

short loc_4544FE 
eax, OFFFFFFFFh 



//look 


backwards at bytes until finding a call 


for(int i=2; i<=7; i++) 


i 

do_ 


unknown (ret addr - i, true); 


if 
{ 


(ua code (ret addr - i) ) 


iff cind.itype == NK call | | 




cind.itype == NN calif i || // Indirect Call Far 




cind.itype == NN callni) // Indirect Call Near 
{ 

result = cmd.ea; 




} 

do_ 

} 


break; 
} 


unknown (ret addr - i, true); 
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Special Cases - I AT Redirection 



Detours Output 



001 [ [ [ 4DS5ES ] ] ] 

001 TlsGetValue (DWORD = f) 

001 TlsGetValue () -> to91e90 



Call to a memory address that's not in the IAT 



call 
text :00UD85B8 mou 



dword_5733BC 
esi, eax 



No data at the address, so check the xrefs 



data:005733BC 00 00 00 00 



dword 5733BC 



dd 



We find 


an IAT entry being moved into the address 








-text: 
-text: 


004D87C1 
004D87C6 


mou 
mou 


eax, 


ds:TlsGel 


tUalue 
eax 


dwor 


d_5733BC f 
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Special Cases - I AT Redirection 



// For all cross references of addr 

for (bool ok=xb.f irst_to (addr, XREF_DATA) ; ok; ok=xb . next_to ( ) ) 

{ 

// If addr is being written to 

if (xb.type == dr_tt) 

{ 

ua_anaO ( xb . f rom) ; 

// See what value is being written. ex: mov addr, reg. 

if (cmd. Operands [ 1] . type == o_reg) 

{ 

ushort myReg = cmd. Operands [0] .reg; 

// See if previous instruction is setting reg 
prev_inst = decode_prev_insn (xb . f roin) ; 
ua_ana0 (prev_inst) ; 

if (cmd.itype == NN_mov ££ 

cmd. Operands [0] .reg == myReg ££ 
(cmd. Operands [ 1] .type == o_mem | | 
cmd. Operands [ 1] .type == o_near | | 
cmd. Operands [ 1] . type == o far)) 



{ 



set_name (cmd. Operands [ 1] .addr, name); 

found = true; 

break; 



Could add a check to see 
if the addr is in the IAT, and 
if not, make a recursive call. 
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Special Cases 



Jump Tables 



if ( ! addr_is_in_iat( addr ) ) 

{ 

// Check to see if addr is ajump to IAT addr 

ua_anaO ( addr } ; 

if (cmd.itype >= NW_ja &£ cmd. itype <= NN_jmpshort) 

{ 

if ( addr _is_in_ i at ( cmd. Operands [ ].addr)) 

{ 

set_name( cmd. Operands [ ] . addr , name); 

} 
} 
} 
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Special Cases - Addr Not Found 



IDA Pro Message Window 



0045020D: couldn 


't find 


adc 


Ires5 of cal 1 


Getcl a55NameA. 


Have to fix manually. 
























Addr of GetClassNameA 






















y being moved into EBX. 


IDA Pro Disassembly 
















> 


/ 


.text:004501EB 


53 














push 


ebx ^ 




.text:OO4501EC 


8B 


1D 


8C 


33 4F 00 








no u 


ebx, ds:di>Jord 4F338C 




.text:O045O1F2 


57 














push 


edi 




.text:OO4501F3 


BE 


00 


01 


00 00 








no u 


esi, 100h 




.text:O045O1F8 


EB 


06 












jnp 


short loc 450200 




.text:OO4501F8 
.text:O045O1FA 
-text: 00450200 


8D 


9B 


00 


00 00 00 


j 
















align 


10h^ , 


decode_prev_insn() won't work 
past unanalyzed data. 


-text:00450200 










loc 


4502 00: 




; CODE 




.text: 00450200 


56 














push 


esi 




_text: 00450201 


8D 


4C 


24 


14 








lea 


ecx, [esp+28h+uar 14] 




-text: 00450205 


E8 


86 


6A 


FB FF 








call 


sub 406C90 




.text: 004502 Oft 


56 














push 


esi 




.text: 004502 0B 
.text: 004502 0C 


50 
55 














push 
push 


eax 

ebp _ 


— Call being made through EBX. 


-text: 004502 OD 


FF 


D3 












call 


ebx Mr 




.text: 004502 OF 


8D 


4C 


24 


10 








lea 


ecx , [esp+30h+uar_20] 
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Special Cases - Addr Not Found 



IDA Pro Message Window 

|QQ4D9172: couldn't find address of call isFrocessorFeatureFresent. Have to fix manually. | 



IDA Pro Disassembly 



.text:O04D9151 


_ns_p5 


mp 


test 


fdiu 


proc near ; CODE NREF: fpnath+5tp 


_text: 00409151 








push 


offset aKernel32 ; ,, KERNEL32" 


.text:004D9156 








call 


ds :GetModuleHandleA 


-text:004D915C 








test 


eax, eax 


_text:00iiD915E 








U 


short loc 4D9175 


_text:00iiD9160 








push 


offset alsprocessorfea ; "IsProcessorFeaturePresenf 


-text:004D9165 








push 


eax 


-text:004D9166 








call 


ds:GetProc Address 


_text:00iiD916C 








test 


eax, eax 


_text:00iiD916E 








U 


short loc 4D9175 


.text:O0iiD9170 








push 





-text:0O4D9172 








call 


eax 


.text: 00409174 








retn 
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Special Cases - Unknown Calls 



If not every call is used during execution (which is likely), QuietRIATT 
won't know what the call is, so defaults have to be chosen as 
placeholders. 

support.h 



DEFAULT_DLL_FUNC clef ault_f uncs [] = { 
{"kerne 13 2.dll", "AddAtomA", 2}, 
{ "user32 . dll", "MessageBoxA", 477} , 
{"shell32.dll", "GetFileNameFrottiBuouse", 63}, 
{ "advapi32 .dll", "ReportEventA", 523} , 
{ "comdlg32 .dll", "CommDlgExtendedError", 
"TextOutA", 591} , 

" uinitenv", 255} , 

"CreateEurorlnfo", 138} , 
"Great eS tat us WindouA", 



105}, 



{ "gdi32 .dll", 
{ "msvcrSO.dll", 
{"ole32.dll", 
{ "comct!32 .dll", 



6}, 



{NULL, NULL, NULL} 



}, 



When new functionality is discovered in the program, re-run Detours and 
QuietRIATT and the new functions will be added. 
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Demonstration 



Sample "Hello World" with IAT removed 



cv Command Prompt 



Microsoft Windows HP [Uersion 5.1.2600] 
CO Copyright 1985-2001 Microsoft Corp. 

C : \Quie tRI ATT\Deino >he llo . exe 
hello world? 
goodbye world? 

C : \Quie tRI ATT\Deiio >_ 



Jnlx 
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Summary 



F» 



• Not an ImpREC replacement, QuietRIATT 
fills a gap that ImpREC doesn't cover 

• A stealthy solution 

• Can save many hours of tedious, error 
prone manual labor 
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Future Work 






Add ability for QuietRIATT to fix binary 
directly (no need for ImpREC). 

In cases where IAT is dynamic, keep 
internal list of entries 

Feed QuietRIATT run trace from stealthy 
debugger to fix case where "address not 
found" 
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Contact Info / Q&A 



Riverside Research Institute Software Security Team 

http://www.rri-usa.org/isrsoftware.html 
For binary and source code, contact us at: 

Jason Raber 

Team Lead, Reverse Engineer 

937-427-7085 
jraber@rri-usa.org 

Brian Krumheuer 

Reverse Engineer 

937-427-7087 

bkrumheuer@rri-usa.org 
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